HIPAA Tip: Things to Consider When Selecting an EMR
[Posted 01/06/05]

Many CMA physicians have received sales pitches for “HIPAA compliant” electronic medical records (EMR) systems. Physicians should be aware that software itself cannot be compliant. It should, however, have certain features that allow your practice to maintain HIPAA compliance.

To comply with HIPAA’s privacy rule and the soon-to-be-implemented security rule, EMR software should be able to, among other things:

• Flag missing documents. For example, if a patient has not acknowledged receipt of your Notice of Privacy Practices, does the EMR call this to the attention of the front office staff?
• Notify users if the patient has designated a “confidential communication channel.” For example, has the patient requested that no messages be left on her home answering machine? The system should alert anyone who might interact with the patient—for appointment reminders, scheduling, laboratory results, or even billing—of the patients request.
• Partition patient data. HIPAA mandates minimum necessary disclosure of patient data. Your EMR should provide “role based” access so users can access only the part of the medical record relevant to their job.
• Keep a log of every time a patient’s information is accessed. Not only should the system record when your staff views a patient record, but it should also keep track of all fulfilled requests for patient data (for example, requests for medical records from a health plan, a public health agency, or even another physician).
• Encrypt patient data, even at rest.

Physicians should also be wary of claims that an EMR will “help you always code at the highest level.” There is nothing inherently wrong about an EMR that provides CPT coding guidance based on the medical record you create. However, allowing your EMR software to select CPT codes without a periodic review or audit to ensure that the correct codes are being billed could put you in violation of Medicare fraud and abuse laws. Ask the vendor what “edit criteria” it uses (for example, the Correct Coding Initiative) and if it periodically audits the system’s CPT selections.

Click here to download a short checklist of HIPAA requirements to consider when purchasing an EMR. CMA is actively pursuing resources to help our members select and implement EMR systems. Stay tuned to future issues of CMA Alert for more details.

More HIPAA information can be found in the CMA/PrivaPlan HIPAA Privacy and Security Compliance Toolkit. CMA members can purchase the toolkit for $325 (nonmember price is $495). The toolkit contains all the information, forms and help you need to comply with HIPAA’s privacy and security rules. Toolkit users can also participate in a free online discussion group moderated by PrivaPlan’s HIPAA compliance experts. For more information on the toolkit, visit the HIPAA Help Center.

For an overview of HIPAA’s privacy and security rules, see ON-CALL, CMA’s online library of medical-legal information. ON-CALL documents are free to members at CMA’s members-only website. Nonmembers can purchase ON-CALL documents from CMA’s CMA bookstore.

Contact: CMA’s legal information line, 415/882-5144 or legalinfo@cmanet.org.